external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/web/lib
History
canyonknight 2c93f0a98f Implement token system to fix CSRF vulnerabilities 
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-06-24 10:59:23 +02:00
..
acctfuncs.inc.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
aur.inc.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
aurjson.class.php Escape wildcards in "LIKE" patterns 2011-10-25 09:25:43 +02:00
cachefuncs.inc.php Make cache type selectable based on config value 2011-06-22 15:21:21 +02:00
config.inc.php.proto Replace "nb_NO" translation by "nb" 2012-03-09 08:21:38 +01:00
feedcreator.class.php RSS support implemented 2005-06-10 23:07:24 +00:00
gettext.php Add php-gettext libraries to "web/lib/". 2011-04-10 15:40:49 +02:00
pkgfuncs.inc.php Escape wildcards in "LIKE" patterns 2011-10-25 09:25:43 +02:00
stats.inc.php Wrap mysql_real_escape_string() in a function 2011-10-25 09:25:30 +02:00
streams.php Add php-gettext libraries to "web/lib/". 2011-04-10 15:40:49 +02:00
translator.inc.php rename *.inc files to *.inc.php and adjust imports and references 2011-06-22 15:15:04 +02:00
version.inc.php Release 1.9.1 2012-03-09 09:24:52 +01:00